Bug 538219
| Summary: | Fedora's ca-bundle.crt doesn't contain the CAcert CA certificates | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Robert Scheck <redhat-bugzilla> | ||||
| Component: | ca-certificates | Assignee: | Joe Orton <jorton> | ||||
| Status: | CLOSED DEFERRED | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | rawhide | CC: | fitzsim, jorton, tmraz | ||||
| Target Milestone: | --- | Keywords: | Reopened | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2009-11-18 09:48:45 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Robert Scheck
2009-11-17 23:27:17 UTC
Created attachment 369982 [details]
Patch to add the missing functionality to mkcabundle.pl
As the same issue exists in RHEL, the RHEL issue is tracked in bug #538222 The root CA bundle is kept in sync with the Mozilla CA bundle. The CACert root cert will be included if and only Mozilla upstream accept it. The bug tracking CACert's inclusion in the Mozilla root CA bundle is here: https://bugzilla.mozilla.org/show_bug.cgi?id=215243 I don't care about Mozilla and their crazy thinking and their for years now existing but never-finished processes about what should be included or not. We are Fedora, not Mozilla. We've "first", "freedom", "friends", "features" in our F. We even don't include our Fedora CA which unfortunately causes same trouble to our Fedora users. And in fact, CAcert is one of *the* open and community CAs. And when looking to RHEL, Red Hat even includes their own CA there. I can't see any good reason not to do the same or similar for Fedora. If you don't agree with me, I'll open a FESCo ticket to escalate here. We are not in a position to manage a trusted root certificate list ourselves. We would have to carefully examine policies (and even better verify that the CAs actually adhere to them) of the certificate authorities ourselves and that is not a job for a single package maintainer in Fedora. But feel free to escalate to FESCo but I do not think they can force the burden of managing such list to any single package maintainer. As Tomas says, the Fedora Project does not have the resources to vet and validate third-party Certificate Authorities ourselves. Mozilla have an excellent process for doing this and I trust them to follow it. They are our upstream here, and it is right and proper that we defer to them. Doing it this way also means that OpenSSL- and GnuTLS-based packages can keep vaguely in sync with NSS-based packages within the distribution, so far as the root CA bundle goes. If you have issues with the Mozilla CA process I would expect you to attempt to resolve such issues upstream in the first instance, as we would with any other upstream project. Making extravagant claims about their "crazy thinking" does not in any way encourage me to trust you above them in making decisions on what CAs we should include in the root CA bundle. Please do not re-open this bug. We can discuss further on fedora-devel if you wish. FESCo ticket: https://fedorahosted.org/fesco/ticket/276 |